Privacy Policy

RaftingX ("RaftingX", "we", "us" or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://raftingx.com (the "Site") or use our services.

By accessing or using our Site and Services, by using the Site or our Services, you consent to the collection and use of information in accordance with this policy. If you do not agree with our terms and practices, please do not use the Site or its services.

1. Information We Collect

Personal Information

We may collect personally identifiable information ("Personal Information") that you voluntarily provide to us, including but not limited to:

• Contact Information: Name, email address, phone number, company name
• Communication Data: Information you provide when contacting us through our forms, email, or other communication channels
• Booking Information: Details related to your rafting bookings including date, time, number of participants, and expedition preferences
• Account Information: If you create an account, your credentials, password, and profile preferences
• Payment Information: Payment card details, billing address, and transaction history processed through our payment gateway (Razorpay)

Automatically Collected Information

When you visit our Site, we may automatically collect certain information about your device and usage, including:

• Device Information: IP address, browser type, operating system, device type ("Cookies", "Session data")
• Analytics Data: Website usage patterns, click paths, session recordings, pages visited
• Location Information: Approximate location based on IP address for relevant service delivery

Third-Party Information

We may receive information about you from third-party sources, such as:

• Business Partners: Information shared when you inquire about our services through partner channels
• Service Providers: Analytics providers, marketing platforms, and other service providers we work with

2. How We Use Your Information

Provide and Maintain Services

Respond to your inquiries and provide customer support. Process your bookings for river rafting expeditions and manage scheduling.

Improve Our Services

Analyze usage patterns to improve our website functionality and user experience. Develop new products, services, and features.

Marketing and Communications

Send you updates, marketing materials, and promotional content (with your consent where required). Notify you about services, route updates, and trip-related communications that may interest you.

Legal and Security

Comply with our legal obligations and respond to lawful requests. Enforce our terms of service and protect your rights and property.

Business Operations

Manage our business operations and services. Generate reports and aggregate insights.

3. How We Share Your Information

We do not sell, trade, or rent your Personal Information to third parties. We may share your information in the following circumstances:

Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Web hosting and infrastructure providers (e.g., AWS, CloudFront)
• Payment processors (e.g., Razorpay)
• Analytics platforms
• Communication services (e.g., MSG91 for SMS notifications)

Business Transfers

If RaftingX is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our site if your data is subject to a different privacy policy.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., courts, subpoenas, government regulatory authorities).

Protection of Rights

We may disclose information to protect our rights, property, or safety, or that of our users or others, including in connection with legal proceedings.

With Your Consent

We may share your information for any other purpose with your consent.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our services.

What Are Cookies?

Cookies are small data files stored on your device. We use both session cookies (which expire when you close your browser) and persistent cookies (which stay on your device until you delete them or they expire).

Types of Cookies We Use

• Essential Cookies: Necessary for the Site to function properly
• Analytics Cookies: Help us understand how visitors interact with our Site
• Third-Party Cookies:
  • Google Analytics: used to analyze website traffic
  • Razorpay: used for payment processing functionality

Your Cookie Choices

You can control cookies through your browser settings. Note that disabling cookies may limit your ability to use certain features of our Site. Visit www.aboutcookies.org for more information.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

Security Measures Include

• Encryption of data in transit (HTTPS/TLS)
• Secure data storage with access controls
• Regular security audits and vulnerability assessments
• Employee access controls and confidentiality agreements

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your Personal Information, we cannot guarantee absolute security. You acknowledge that you provide your information at your own risk.

6. Data Retention

We retain your Personal Information only for as long as is necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Accounts: Data retained for the duration of your account
• General Enquiries: Typically retained for 2 years after last contact
• Booking Data: Retained per government regulations for the duration of the booking plus an additional period as required by applicable law
• Marketing Data: Retained until you opt out or for the relevant statutory period

When we no longer need your information, we will securely delete or anonymize it.

7. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your Personal Information under applicable laws including GDPR, CCPA, and other privacy regulations:

Your Rights May Include

• Right to Access: Request a copy of the Personal Information we hold about you
• Right to Rectification: Request correction of any inaccurate or incomplete information
• Right to Erasure: Request deletion of your Personal Information subject to legal obligations
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to certain types of processing, including direct marketing
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@raftingx.com. We will respond to your request within 30 days or as required by applicable law.

8. Third-Party Links

Our Site may contain links to third-party websites, products, services, or resources that are not owned or controlled by us.

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.

9. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children.

If you become aware that your child has provided us with Personal Information, please contact us at privacy@raftingx.com. We will take steps to delete such information from our systems.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside your jurisdiction where data protection laws may differ.

By using our Site and Services, you consent to the transfer of your information to countries outside your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

Notification of Updates

We will post the revised Privacy Policy on this page with a new "Last Updated" date. For material changes, we may provide additional notice to you (e.g., email notification).

We encourage you to review this Privacy Policy periodically for any information about how we protect your data.

12. Mobile Application

This section covers additional privacy practices that apply specifically when you use the RaftingX mobile application available on Google Play (Android) and the App Store (iOS). It supplements — but does not replace — the rest of this Privacy Policy.

Phone Number and SMS Authentication

The mobile app uses phone number + one-time password (OTP) authentication via SMS. When you sign in:

• Your phone number is collected to create or identify your account.
• A 6-digit OTP is sent to you via SMS through our messaging partner MSG91.
• Phone numbers are stored in our secure authentication system (AWS Cognito) and used solely for login, account recovery, and transactional notifications related to your bookings and trips.
• We do not send marketing SMS to authentication phone numbers without separate, explicit consent.

Camera Permission

The mobile app requests access to your device camera for a single, specific purpose:

• QR code scanning: River guides and Samiti members scan booking QR codes at put-in points to verify trips.

The camera is only active while the QR scanner screen is open. No photographs, videos, or images from the camera are captured, stored on your device, or transmitted to our servers. Only the decoded QR text (a short alphanumeric booking reference) is sent to our backend to look up the associated booking.

Users who do not scan QR codes (clients, booking staff, operator owners) will never be prompted to grant camera access.

Location Permission (GPS)

The mobile app requests precise location (GPS) for a single, specific purpose:

• Geofenced trip validation: River guides must be physically present at the designated put-in location to start a trip, and at the designated pull-out location to end a trip. The app uses GPS to verify this via a point-in-polygon check.

Your precise location is:

• Only read while the trip detail screen is open on a guide's device.
• Sent to our backend only at two specific events — when a guide taps “Start Trip” and “End Trip”.
• Never continuously tracked in the background, never sampled while the app is closed, and never shared with any third party.
• Retained with the trip record for operational audit (required for dispute resolution between operators, guides, and clients) and for the period described in Section 6 (Data Retention).

Users in roles that do not start or end trips (clients, booking staff, operator owners, Samiti members, administrators) will never be prompted to grant location access.

Biometric Login

If you enable biometric login (fingerprint or face), your biometric data is stored exclusively on your device using the Android Keystore (Android) or Keychain Services (iOS). Your biometric data is never transmitted to our servers. The biometric check only unlocks authentication tokens already stored on your device from a prior SMS OTP login.

Payment Information (Mobile)

Payments inside the mobile app are processed by Razorpay. Card numbers, UPI IDs, and banking credentials are entered directly into Razorpay's secure SDK and are never seen, collected, or stored by RaftingX. We receive only a payment reference, status, and amount. See Razorpay's privacy policy at razorpay.com/privacy.

Local Data on Your Device

The mobile app stores a limited amount of information locally on your device to keep you signed in and to show your recent bookings quickly:

• Authentication tokens (access, refresh, and ID tokens) are stored in platform-secure storage — Android Keystore on Android, Keychain Services on iOS.
• UI preferences (such as dark-mode toggle) are stored in standard app storage.
• All locally stored data is cleared when you log out or uninstall the app. Nothing is shared with third parties from this local storage.

Data Shared with Third Parties (Mobile)

The mobile app shares information with the same service providers listed in Section 3 (How We Share Your Information):

• MSG91: receives your phone number to deliver SMS OTPs and booking notifications.
• Razorpay: processes payment information you enter during booking.
• Amazon Web Services: hosts our backend, authentication, and data storage (AWS Cognito, AWS Lambda, MongoDB Atlas on AWS).

The mobile app does not include third-party analytics SDKs, advertising SDKs, or social-media tracking libraries.

Children

The mobile app is not intended for users under 18. Booking participants under 18 must be enrolled by a parent or legal guardian who accepts the indemnity terms on their behalf.

Revoking Permissions and Deleting Your Account

You may revoke camera or location permission at any time through your device settings (Settings → Apps → RaftingX → Permissions on Android; Settings → RaftingX on iOS). Revoking these permissions will disable the features that depend on them (QR scanning, guide trip start/end) but will not otherwise affect your account.

To delete your mobile account and associated data, email privacy@raftingx.com from the phone number associated with your account. Deletion will be processed per Section 7 (Your Data Protection Rights).

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us at: